From cfde6bc8319fe09f87070c4bcc1a98e80f08fcef Mon Sep 17 00:00:00 2001 From: Junyeon Lee Date: Thu, 23 Mar 2017 01:37:46 +0900 Subject: [PATCH] net/tls: add new apis for supporting h/w routine This commit adds new internal apis for supporting hardware accelerator(SSS). Change-Id: I2714c43affed7c3c9dc9f596fe13137629de671a Signed-off-by: Junyeon Lee --- os/include/tls/see_api.h | 16 +++ os/include/tls/see_internal.h | 77 ++++++++++++++ os/net/tls/Make.defs | 2 +- os/net/tls/see_api.c | 16 +-- os/net/tls/see_internal.c | 233 ++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 328 insertions(+), 16 deletions(-) create mode 100644 os/include/tls/see_internal.h create mode 100644 os/net/tls/see_internal.c diff --git a/os/include/tls/see_api.h b/os/include/tls/see_api.h index d140e64..ad5a733 100644 --- a/os/include/tls/see_api.h +++ b/os/include/tls/see_api.h @@ -111,6 +111,20 @@ #define MAX_KEY_INDEX 0x08 #define MAX_CERT_INDEX 0x08 +//#define ISP_CHECKBUSY() while(isp_get_status()){} +#define ISP_CHECKBUSY() + +#define _SEE_MUTEX_LOCK \ +{ \ + if (see_mutex_lock(&m_handler) != 0) \ + return -1; \ +} +#define _SEE_MUTEX_UNLOCK \ +{ \ + if (see_mutex_unlock(&m_handler) != 0) \ + return -1; \ +} + /**************************************************************************** * Public types ****************************************************************************/ @@ -142,6 +156,8 @@ typedef struct cert_options { int selfsign; } cert_opt; +extern see_mutex_t m_handler; + /**************************************************************************** * Public Function Prototypes ****************************************************************************/ diff --git a/os/include/tls/see_internal.h b/os/include/tls/see_internal.h new file mode 100644 index 0000000..1e269b4 --- /dev/null +++ b/os/include/tls/see_internal.h @@ -0,0 +1,77 @@ +/**************************************************************************** + * + * Copyright 2016 Samsung Electronics All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. + * + ****************************************************************************/ + +/// @file see/see_internal.h +/// @brief SEE api for using in TLS internal. + +#ifndef __SEE_INTERNAL_H +#define __SEE_INTERNAL_H + +/**************************************************************************** + * Included Files + ****************************************************************************/ + +#include "tls/see_api.h" + +/**************************************************************************** + * Pre-processor Definitions + ****************************************************************************/ + +#define SEE_MAX_ENCRYPTED_KEY_SIZE (1280) + +#define DHM_1024 (128) +#define DHM_2048 (256) + +/**************************************************************************** + * Public types +****************************************************************************/ + +/**************************************************************************** + * Public Function Prototypes + ****************************************************************************/ + +#if defined(CONFIG_HW_ECDH_PARAM) +int see_generate_key_internal(unsigned int key_type, unsigned char *key_buf, + unsigned int key_len, unsigned int pukey_e); + +int see_get_ecc_publickey_internal(struct sECC_KEY *ecc_pub, unsigned char *key_buf, + unsigned int object_id); + +int see_compute_ecdh_param_internal(struct sECC_KEY *ecc_pub, unsigned char *key_buf, + unsigned char *output, unsigned int *olen); +#endif /* CONFIG_HW_ECDH_PARAM */ + +#if defined(CONFIG_HW_DH_PARAM) +int see_supported_dhm_size(int size); + +int see_generate_dhm_params_internal(struct sDH_PARAM *d_param, unsigned char *key_buf); + + +int see_compute_dhm_param_internal(struct sDH_PARAM *d_param, unsigned char *key_buf, + unsigned char *output, unsigned int *olen); +#endif /* CONFIG_HW_DH_PARAM */ + +#if defined(CONFIG_HW_ECDSA_VERIFICATION) +int see_setup_key_internal(unsigned char *key_der, unsigned int key_len, + unsigned int key_type, unsigned char *key_buf); + +int see_verify_ecdsa_signature_internal(struct sECC_SIGN *ecc_sign, + unsigned char *hash, unsigned int hash_len, + unsigned char *key_buf); +#endif /* CONFIG_HW_ECDSA_VERIFICATION */ +#endif /* __SEE_INTERNAL_H */ diff --git a/os/net/tls/Make.defs b/os/net/tls/Make.defs index 3acf4e1..de3b4f2 100644 --- a/os/net/tls/Make.defs +++ b/os/net/tls/Make.defs @@ -81,7 +81,7 @@ SRC_TLS_CSRCS = debug.c net.c ssl_cache.c \ ssl_ticket.c ifeq ($(CONFIG_TLS_WITH_SSS),y) -SRC_SEE_CSRCS += see_api.c +SRC_SEE_CSRCS += see_api.c see_internal.c endif TLS_CSRCS += $(SRC_CRYPTO_CSRCS) $(SRC_X509_CSRCS) $(SRC_TLS_CSRCS) $(SRC_SEE_CSRCS) diff --git a/os/net/tls/see_api.c b/os/net/tls/see_api.c index 246b39a..9bdd759 100644 --- a/os/net/tls/see_api.c +++ b/os/net/tls/see_api.c @@ -30,21 +30,7 @@ #include "tls/see_api.h" -static see_mutex_t m_handler = { PTHREAD_MUTEX_INITIALIZER, 0 }; - -#define _SEE_MUTEX_LOCK \ -{ \ - if (see_mutex_lock(&m_handler) != 0) \ - return -1; \ -} -#define _SEE_MUTEX_UNLOCK \ -{ \ - if (see_mutex_unlock(&m_handler) != 0) \ - return -1; \ -} - -//#define ISP_CHECKBUSY() while(isp_get_status()){} -#define ISP_CHECKBUSY() +see_mutex_t m_handler = { PTHREAD_MUTEX_INITIALIZER, 0 }; int see_init(void) { diff --git a/os/net/tls/see_internal.c b/os/net/tls/see_internal.c new file mode 100644 index 0000000..83f7003 --- /dev/null +++ b/os/net/tls/see_internal.c @@ -0,0 +1,233 @@ +/**************************************************************************** + * + * Copyright 2016 Samsung Electronics All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, + * either express or implied. See the License for the specific + * language governing permissions and limitations under the License. + * + ****************************************************************************/ + +/// @file see/see_internal.c +/// @brief security api for using in TLS internal + +#include +#include +#include + +#include "tls/see_internal.h" + +#if defined(CONFIG_HW_ECDH_PARAM) +int see_generate_key_internal(unsigned int key_type, unsigned char *key_buf, + unsigned int key_len, unsigned int pukey_e) +{ + int r = 0; + unsigned int key = key_type & 0xFF0000; + unsigned int object_id = key_type & 0xFF; + + SEE_DEBUG("%s IN\n", __func__); + + _SEE_MUTEX_LOCK + switch (key) { + case ECC_KEY: + ISP_CHECKBUSY(); + r = isp_ecdsa_generate_key_encryptedkey(object_id, key_buf); + break; + default: + _SEE_MUTEX_UNLOCK + return SEE_INVALID_INPUT_PARAMS; + } + _SEE_MUTEX_UNLOCK + + if (r) { + SEE_DEBUG("isp_generate_key fail %x %x %x\n", r, key, object_id); + isp_clear(0); + return SEE_ERROR; + } + + SEE_DEBUG("%s OUT\n", __func__); + return SEE_OK; +} + +int see_get_ecc_publickey_internal(struct sECC_KEY *ecc_pub, unsigned char *key_buf, + unsigned int object_id) +{ + unsigned int r; + + SEE_DEBUG("%s IN\n", __func__); + + if (ecc_pub == NULL || key_buf == NULL) { + return SEE_INVALID_INPUT_PARAMS; + } + + _SEE_MUTEX_LOCK + ISP_CHECKBUSY(); + if ((r = isp_ecdsa_get_publickey_encryptedkey(ecc_pub, object_id, key_buf)) != 0) { + isp_clear(0); + _SEE_MUTEX_UNLOCK + SEE_DEBUG("isp_get_ecdsa_pubkey fail %x\n", r); + return SEE_ERROR; + } + _SEE_MUTEX_UNLOCK + + SEE_DEBUG("%s OUT\n", __func__); + return SEE_OK; +} + +int see_compute_ecdh_param_internal(struct sECC_KEY *ecc_pub, unsigned char *key_buf, + unsigned char *output, unsigned int *olen) +{ + int r; + + SEE_DEBUG("%s IN\n", __func__); + + if (ecc_pub == NULL || output == NULL || olen == NULL || key_buf == NULL) { + return SEE_INVALID_INPUT_PARAMS; + } + + _SEE_MUTEX_LOCK + ISP_CHECKBUSY(); + if ((r = isp_compute_ecdh_encryptedkey(output, olen, *ecc_pub, key_buf)) != 0) { + isp_clear(0); + _SEE_MUTEX_UNLOCK + SEE_DEBUG("isp_compute_ecdh_param fail %x\n", r); + return SEE_ERROR; + } + _SEE_MUTEX_UNLOCK + + SEE_DEBUG("%s OUT\n", __func__); + return SEE_OK; +} +#endif /* CONFIG_HW_ECDH_PARAM */ + +#if defined(CONFIG_HW_DH_PARAM) +int see_supported_dhm_size(int size) +{ + switch (size) { + case DHM_1024: + case DHM_2048: + return 1; + default: + return 0; + } + return 0; +} + +/* Generate G, P, GX (G^X mod P) */ +int see_generate_dhm_params_internal(struct sDH_PARAM *d_param, unsigned char *key_buf) +{ + int r; + + SEE_DEBUG("%s IN\n", __func__); + + if (d_param == NULL || key_buf == NULL) { + return SEE_INVALID_INPUT_PARAMS; + } + + _SEE_MUTEX_LOCK + ISP_CHECKBUSY(); + if ((r = isp_dh_generate_keypair_userparam_encryptedkey(d_param, key_buf)) != 0) { + isp_clear(0); + _SEE_MUTEX_UNLOCK + SEE_DEBUG("isp_generate_dh_param fail %x\n", r); + return SEE_ERROR; + } + _SEE_MUTEX_UNLOCK + + SEE_DEBUG("%s OUT\n", __func__); + return SEE_OK; +} + +/* Compute shared secret key = GXY ((G^Y)^X mod P) */ +int see_compute_dhm_param_internal(struct sDH_PARAM *d_param, unsigned char *key_buf, + unsigned char *output, unsigned int *olen) +{ + int r; + + SEE_DEBUG("%s IN\n", __func__); + + if (d_param == NULL || output == NULL || olen == NULL || key_buf == NULL) { + return SEE_INVALID_INPUT_PARAMS; + } + + _SEE_MUTEX_LOCK + ISP_CHECKBUSY(); + if ((r = isp_dh_compute_shared_secret_encryptedkey(output, olen, *d_param, key_buf)) != 0) { + isp_clear(0); + _SEE_MUTEX_UNLOCK + SEE_DEBUG("isp_compute_dh_param fail %x\n", r); + return SEE_ERROR; + } + _SEE_MUTEX_UNLOCK + + SEE_DEBUG("%s OUT\n", __func__); + return SEE_OK; +} +#endif /* CONFIG_HW_DH_PARAM */ + +#if defined(CONFIG_HW_ECDSA_VERIFICATION) +int see_setup_key_internal(unsigned char *key_der, unsigned int key_len, + unsigned int key_type, unsigned char *key_buf) +{ + int r; + + SEE_DEBUG("%s IN\n", __func__); + + if (key_der == NULL) { + return SEE_INVALID_INPUT_PARAMS; + } + + if (key_type < SECURE_STORAGE_TYPE_KEY_AES || + key_type > SECURE_STORAGE_TYPE_KEY_ECC) { + return SEE_INVALID_INPUT_PARAMS; + } + + _SEE_MUTEX_LOCK + ISP_CHECKBUSY(); + if ((r = isp_set_encryptedkey(key_der, key_len, key_type, key_buf)) != 0) { + isp_clear(0); + _SEE_MUTEX_UNLOCK + SEE_DEBUG("isp_set_userkey fail %x\n", r); + return SEE_ERROR; + } + _SEE_MUTEX_UNLOCK + + SEE_DEBUG("%s OUT\n", __func__); + return SEE_OK; +} + +int see_verify_ecdsa_signature_internal(struct sECC_SIGN *ecc_sign, + unsigned char *hash, unsigned int hash_len, + unsigned char *key_buf) +{ + int r; + + SEE_DEBUG("%s IN\n", __func__); + + if (ecc_sign == NULL || hash == NULL || hash_len == 0 || key_buf == NULL) { + return SEE_INVALID_INPUT_PARAMS; + } + + _SEE_MUTEX_LOCK + ISP_CHECKBUSY(); + if ((r = isp_ecdsa_verify_md_encryptedkey(ecc_sign, + hash, hash_len, key_buf)) != 0) { + isp_clear(0); + _SEE_MUTEX_UNLOCK + SEE_DEBUG("isp_ecdsa_verify fail %x\n", r); + return SEE_ERROR; + } + _SEE_MUTEX_UNLOCK + + SEE_DEBUG("%s OUT\n", __func__); + return SEE_OK; +} +#endif /* CONFIG_HW_ECDSA_VERIFICATION */ -- 2.7.4